# create a new proxy server

- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=proxies:proxies-stg"

- name: make the box be real
  hosts: proxies-stg:proxies
  user: root
  gather_facts: True

  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  roles:
  - base
  - hosts
  - rkhunter
  - nagios_client
  - fas_client
  - collectd/base
  - sudo
  - rsyncd
  - { role: openvpn/client,
      when: env != "staging" }
  - apache

  tasks:
  - include: "{{ tasks }}/yumrepos.yml"
  - include: "{{ tasks }}/2fa_client.yml"
  - include: "{{ tasks }}/motd.yml"

  # You might think we would want these tasks on the proxy nodes, but they
  # actually deliver a configuration that our proxy-specific roles below then go
  # and overwrite... so, let's just leave them out.
  #- include: "{{ tasks }}/apache.yml"
  #- include: "{{ tasks }}/mod_wsgi.yml"

  handlers:
  - include: "{{ handlers }}/restart_services.yml"


  # TODO
  #
  # - fedora-web::build (bapp0*)
  # - fedora-docs::build (bapp0*)
  # - review-stats::build (bapp0*)
  # - membership-map::build (bapp0*)
  #
  ## TBD
  # - sysctl ip_conntrack_max bits  - do we still need this on rhel7?
  # - semanage ports.. we're likely going to need one for every app.
  # - sebooleans.. let's try running first, see what gets blocked, and then
  #                selectively enable where semanage port fails
  #
  ## Not going to do
  # - smolt::proxy -- note going to do this.  smolt is dead.  long live smolt.
  # - domainnotarget stuff - only smolt used this


- name: Set up the proxy basics
  hosts: proxies-stg:proxies
  user: root
  gather_facts: False

  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  handlers:
  - include: "{{ handlers }}/restart_services.yml"

  roles:
  - httpd/proxy
  - varnish

# After setting up the "basics" of the proxy hosts above, here below we break
# out the proxy-specific configuration into a couple different sub-playbooks.
# Othewise, this file would be unbearably long.

- include: /srv/web/infra/ansible/playbooks/include/proxies-certificates.yml
- include: /srv/web/infra/ansible/playbooks/include/proxies-websites.yml
- include: /srv/web/infra/ansible/playbooks/include/proxies-reverseproxy.yml
- include: /srv/web/infra/ansible/playbooks/include/proxies-rewrites.yml
- include: /srv/web/infra/ansible/playbooks/include/proxies-redirects.yml
- include: /srv/web/infra/ansible/playbooks/include/proxies-fedora-web.yml
- include: /srv/web/infra/ansible/playbooks/include/proxies-haproxy.yml
- include: /srv/web/infra/ansible/playbooks/include/proxies-miscellaneous.yml

#- name: Some after the after stuff for proxies.
#  hosts: proxies-stg
#  user: root
#  gather_facts: False
#
#  vars_files:
#   - /srv/web/infra/ansible/vars/global.yml
#   - "/srv/private/ansible/vars.yml"
#   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
#
#  tasks:
#
#  ## TODO - we should audit each one of these sebooleans to make sure they're
#  ## really necessary.  The proxies are more forward-facing than other machines
#  ## so we should take a little more care..
#  ## Really, before we are generally allowing httpd to do stuff carte blanche,
#  ## we should lock things down with 'semanage port' first.  See
#  ## roles/fedmsg/base/ for an example.
#  #
#  #- name: Set some sebooleans
#  #  seboolean: name={{item}} state=true persistent=true
#  #  with_items:
#  #  - httpd_can_network_connect_db
#  #  - httpd_can_network_relay
#  #  - httpd_can_network_connect
#  #  - allow_ypbind
#  #  tags:
#  #  - selinux
